Use of Hard-coded Password



Description

Applications that use authentication need a method for storing passwords. One of the simplest ways to store passwords is to hard-code them into the application. This approach is not secure, because anyone with access to the application code is able to recover these passwords. Once an attacker has recovered the passwords, they can use them to authenticate with the application.

Impact

Once the attacker has obtained the hard-coded password, they can use it to access the application. Usually, administrative passwords are the ones that are hard-coded. In that case, the attacker gains full access to the application. The attacker might be able to leverage this access to take full control of the application server.

Countermeasures

To prevent this vulnerability, provide a secure admin interface that allows changing passwords, and store passwords securely.

Provide a secure administrative interface that allows changing passwords:

Store passwords securely:

Application Check

To check for adequate protection against this vulnerability, ensure that a secure admin interface that allows changing passwords is provided, and that passwords are stored securely.

A secure administrative interface that allows changing passwords is provided:

Passwords are stored securely:

!Have a comment about this article? Send our team an email.